render.com:httponly cookie做res.cookie Web Services之间的浏览器存储
我有一个使用httponly cookie进行身份验证的Nestjs应用程序。在开发中,一切正常。我的NextJS客户端(http:// localhost:4200)使用GraphQl将登录请求发送到我的Nestjs Server(http:// localhost:3333),该服务器将httponly cookie设置在响应中,然后成功将cookie添加到cookie to cookie for浏览器存储。
但是,当我将两个应用程序部署到render.com时,除了最后一步之外,一切都可以使用。 cookie在响应中已成功收到,但未添加到浏览器存储中。有趣的是,如果我使用部署的生产服务器的GraphQl操场来制作登录请求,则一切都可以。因此,显然,问题似乎是该请求来自子域。
我的生产配置:
客户端: https://swingapple-web-staging.onrender.onrender.onrender.onrender.onrender.onrender .com
服务器: https://swingapple-api-staging.onrender.com
cookies cookies设置(服务器):
sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
secure: process.env.NODE_ENV === 'production',
domain: process.env.NODE_ENV === 'production' ? '.onrender.com' : undefined
Nestjs的GraphQlModule设置(服务器):
playground: true,
introspection: true,
autoSchemaFile: true,
sortSchema: true,
context: ({ req, res }) => ({ req, res }),
cors: {
credentials: true,
origin: [process.env.CLIENT_URL, 'http://localhost:4200']
}
相关的Nest Main.ts config(server):
app.set('trust proxy', 1);
graphql-request-request settings(client):
credentials: 'include'
我花了几天的时间试图解决这个问题,因此任何帮助都将不胜感激!
I have a NestJs app that uses HttpOnly cookies for authentication. In development everything works perfectly. My NextJs client (http://localhost:4200) uses Graphql to send a login request to my NestJs server (http://localhost:3333), which sets httpOnly cookies in the response, and then the client successfully adds the cookies to the browser storage.
However, when I deploy both apps to Render.com, everything works apart from the final step. The cookies are successfully received in the response, but are not added to the browser storage. Interestingly, if I use the GraphQL playground of the deployed production server to make the login request, everything works. So, clearly, the issue seems to be that the request is coming from a subdomain.
My production configuration:
Client: https://swingapple-web-staging.onrender.com
Server: https://swingapple-api-staging.onrender.com
Cookies settings (Server):
sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
secure: process.env.NODE_ENV === 'production',
domain: process.env.NODE_ENV === 'production' ? '.onrender.com' : undefined
Nestjs's GraphQLModule settings (Server):
playground: true,
introspection: true,
autoSchemaFile: true,
sortSchema: true,
context: ({ req, res }) => ({ req, res }),
cors: {
credentials: true,
origin: [process.env.CLIENT_URL, 'http://localhost:4200']
}
Relevant Nest main.ts config (server):
app.set('trust proxy', 1);
graphql-request settings (client):
credentials: 'include'
I've spent days trying to figure this out so any help would be really appreciated!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在与render.com支持交谈后,他们告诉我
onrender.com(其子域的域)在公共后缀列表中,这意味着跨站点cookie无法正常工作。解决方案是为这两种Web服务添加一个自定义域(显然必须是同一app.my-custom-domain.com和api.my-custom-domain.com)。我这样做了,现在一切都按预期工作了!After speaking with the Render.com support, they informed me that
onrender.com(the domain for their subdomains) is on the public suffixes list, which means cross site cookies won't work. The solution was to add a custom domain for both Web Services (which obviously has to be the same e.g. app.my-custom-domain.com and api.my-custom-domain.com). I did this, and now everything is working as intended!除了添加自定义域外,您不能做任何其他事情。我觉得这个奇怪。
渲染应该为此做些事情。
You can't do anything other than just adding a custom domain. I find this strange.
Render should do something about it.